Session problem -- sessions being recreated, browser related?

[Milt Epstein <me...@uiuc.edu>]

On a servlet-based application I have, I'm getting sporadic reports of
problems from users.  The symptoms are similar to what happens when
cookies are disabled (but they aren't, because I had the users check).
Basically, they can't get past the front page of the application,
because it won't let them without a valid session (recall that session
access is handled via cookies -- I'm not using URL Rewriting).  And
each time they try, Tomcat is creating a new session for them (and
giving them a new cookie).  Apparently, it's not recognizing the
existing session.

Now, this is only happening to a small subset of the users.  I haven't
isolated a pattern yet, but it may only be happening from certain
machines.  And the couple of machines I have found the problem on so
far are both using Internet Explorer version 4.0.  So that might be a
factor.  (I don't have 4.0 myself, but I did find an old copy of 3.02,
and it works OK with that.)

Oh, a bit of background -- we switched over from using Netscape
Enterprise Server and ServletExec to Apache/Tomcat a couple of weeks
ago, and the problem seems to have only started occurring since then.
So it does appear to be something Apache/Tomcat-specific.

Thanks.

Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu

Re: Session problem -- sessions being recreated, browser related?

[Milt Epstein <me...@uiuc.edu>]

On Tue, 3 Apr 2001, Jeff Kilbride wrote:

> Hi Milt,
> 
> Are you using ajp12 or ajp13 as your connector protocol? Apparently,
> ajp13 has known bugs that cause dropped sessions.
> 
> I got this from Mike Slinn after visiting his site
> (http://tomcat.mslinn.com) and noticing that he said "Tomcat v3.2.1
> works better with this [AJP12] connector than with AJP13" in his
> server.xml explanation. I sent him an email to ask him why and he
> replied "ajp13 has bugs that cause dropped sessions."
> 
> If this is true, I'm surprised it's not more widely known. The docs
> talk about ajp13 being much faster due to it's connection re-use, so
> obviously it was my first choice. I'm not using sessions anywhere,
> yet, but if I do I'm going to implement ajp12 instead of ajp13. I'd
> be really interested to find out if this is the cause of your
> problems.

Thanks for the response.  I'm using mod_jserv, which means ajp12
(ajp13 is only available with mod_jk).  So I guess that can't be the
cause of my problems.

I don't think it's anything so complicated as dropped sessions.  I
think it just has something to do with the cookie handling that is
getting screwed up.  Like apache/tomcat not getting the session cookie
back, so it thinks there's no session.  (And recall that this is
something that was apparently working fine a few weeks ago when we
were using NES/ServletExec, so that restricts how general a problem
this is somewhat.)


> ----- Original Message -----
> From: "Milt Epstein" <me...@uiuc.edu>
> To: <to...@jakarta.apache.org>
> Sent: Tuesday, April 03, 2001 1:06 PM
> Subject: Session problem -- sessions being recreated, browser related?
> 
> 
> >
> > On a servlet-based application I have, I'm getting sporadic reports of
> > problems from users.  The symptoms are similar to what happens when
> > cookies are disabled (but they aren't, because I had the users check).
> > Basically, they can't get past the front page of the application,
> > because it won't let them without a valid session (recall that session
> > access is handled via cookies -- I'm not using URL Rewriting).  And
> > each time they try, Tomcat is creating a new session for them (and
> > giving them a new cookie).  Apparently, it's not recognizing the
> > existing session.
> >
> > Now, this is only happening to a small subset of the users.  I haven't
> > isolated a pattern yet, but it may only be happening from certain
> > machines.  And the couple of machines I have found the problem on so
> > far are both using Internet Explorer version 4.0.  So that might be a
> > factor.  (I don't have 4.0 myself, but I did find an old copy of 3.02,
> > and it works OK with that.)
> >
> > Oh, a bit of background -- we switched over from using Netscape
> > Enterprise Server and ServletExec to Apache/Tomcat a couple of weeks
> > ago, and the problem seems to have only started occurring since then.
> > So it does appear to be something Apache/Tomcat-specific.
> >
> > Thanks.
> >
> > Milt Epstein
> > Research Programmer
> > Software/Systems Development Group
> > Computing and Communications Services Office (CCSO)
> > University of Illinois at Urbana-Champaign (UIUC)
> > mepstein@uiuc.edu
> >
> 

Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu

Re: Session problem -- sessions being recreated, browser related?

[Jeff Kilbride <je...@kilbride.com>]

Hi Milt,

Are you using ajp12 or ajp13 as your connector protocol? Apparently, ajp13
has known bugs that cause dropped sessions.

I got this from Mike Slinn after visiting his site
(http://tomcat.mslinn.com) and noticing that he said "Tomcat v3.2.1 works
better with this [AJP12] connector than with AJP13" in his server.xml
explanation. I sent him an email to ask him why and he replied "ajp13 has
bugs that cause dropped sessions."

If this is true, I'm surprised it's not more widely known. The docs talk
about ajp13 being much faster due to it's connection re-use, so obviously it
was my first choice. I'm not using sessions anywhere, yet, but if I do I'm
going to implement ajp12 instead of ajp13. I'd be really interested to find
out if this is the cause of your problems.

Thanks,
--jeff

----- Original Message -----
From: "Milt Epstein" <me...@uiuc.edu>
To: <to...@jakarta.apache.org>
Sent: Tuesday, April 03, 2001 1:06 PM
Subject: Session problem -- sessions being recreated, browser related?


>
> On a servlet-based application I have, I'm getting sporadic reports of
> problems from users.  The symptoms are similar to what happens when
> cookies are disabled (but they aren't, because I had the users check).
> Basically, they can't get past the front page of the application,
> because it won't let them without a valid session (recall that session
> access is handled via cookies -- I'm not using URL Rewriting).  And
> each time they try, Tomcat is creating a new session for them (and
> giving them a new cookie).  Apparently, it's not recognizing the
> existing session.
>
> Now, this is only happening to a small subset of the users.  I haven't
> isolated a pattern yet, but it may only be happening from certain
> machines.  And the couple of machines I have found the problem on so
> far are both using Internet Explorer version 4.0.  So that might be a
> factor.  (I don't have 4.0 myself, but I did find an old copy of 3.02,
> and it works OK with that.)
>
> Oh, a bit of background -- we switched over from using Netscape
> Enterprise Server and ServletExec to Apache/Tomcat a couple of weeks
> ago, and the problem seems to have only started occurring since then.
> So it does appear to be something Apache/Tomcat-specific.
>
> Thanks.
>
> Milt Epstein
> Research Programmer
> Software/Systems Development Group
> Computing and Communications Services Office (CCSO)
> University of Illinois at Urbana-Champaign (UIUC)
> mepstein@uiuc.edu
>

Re: Session problem -- sessions being recreated, browser related?

[Dave Ferguson <df...@touchnet.com>]

Hi Milt,

I've been testing Tomcat recently and found something similar.  Like you, I was successfully using ServletExec and switched to Apache/Tomcat.  Suddenly sessions were getting lost for no apparent reason.  It was happening for all browsers, not just IE 4 and it was happening on both Tomcat 3.1 and 3.2.2b3.

I finally figured it out.  It was because Tomcat and ServletExec return different things for request.getServerName().  In my case, I had an initial JSP which did a request to a controller servlet (Model 2).  The controller servlet called sendRedirect( someURL ), where "someURL" was constructed (in part) by called req.getServerName().  I happened to access the first JSP with http://localhost/, which means the cookie was set with "localhost" as the server name.  Well, Tomcat does some sort of DNS lookup because it returned "name.domain.com" for getServerName(), not "localhost".  Thus calling sendRedirect() with a different server name caused the browser to NOT send the cookie and thus the previous session was lost.

The same behavior results if you access the first JSP with the IP address.  The problem goes away if you access the first JSP with "name.domain.com".  Thought I'd share my experience.  Maybe that is what's happening to some of your users.

Dave F.

Milt Epstein wrote:

> On a servlet-based application I have, I'm getting sporadic reports of
> problems from users.  The symptoms are similar to what happens when
> cookies are disabled (but they aren't, because I had the users check).
> Basically, they can't get past the front page of the application,
> because it won't let them without a valid session (recall that session
> access is handled via cookies -- I'm not using URL Rewriting).  And
> each time they try, Tomcat is creating a new session for them (and
> giving them a new cookie).  Apparently, it's not recognizing the
> existing session.
>
> Now, this is only happening to a small subset of the users.  I haven't
> isolated a pattern yet, but it may only be happening from certain
> machines.  And the couple of machines I have found the problem on so
> far are both using Internet Explorer version 4.0.  So that might be a
> factor.  (I don't have 4.0 myself, but I did find an old copy of 3.02,
> and it works OK with that.)
>
> Oh, a bit of background -- we switched over from using Netscape
> Enterprise Server and ServletExec to Apache/Tomcat a couple of weeks
> ago, and the problem seems to have only started occurring since then.
> So it does appear to be something Apache/Tomcat-specific.
>
> Thanks.
>
> Milt Epstein
> Research Programmer
> Software/Systems Development Group
> Computing and Communications Services Office (CCSO)
> University of Illinois at Urbana-Champaign (UIUC)
> mepstein@uiuc.edu

Re: Session problem -- sessions being recreated, browser related?

["Craig R. McClanahan" <cr...@apache.org>]

On Tue, 3 Apr 2001, Milt Epstein wrote:

> 
> On a servlet-based application I have, I'm getting sporadic reports of
> problems from users.  The symptoms are similar to what happens when
> cookies are disabled (but they aren't, because I had the users check).
> Basically, they can't get past the front page of the application,
> because it won't let them without a valid session (recall that session
> access is handled via cookies -- I'm not using URL Rewriting).  And
> each time they try, Tomcat is creating a new session for them (and
> giving them a new cookie).  Apparently, it's not recognizing the
> existing session.
> 
> Now, this is only happening to a small subset of the users.  I haven't
> isolated a pattern yet, but it may only be happening from certain
> machines.  And the couple of machines I have found the problem on so
> far are both using Internet Explorer version 4.0.  So that might be a
> factor.  (I don't have 4.0 myself, but I did find an old copy of 3.02,
> and it works OK with that.)
> 
> Oh, a bit of background -- we switched over from using Netscape
> Enterprise Server and ServletExec to Apache/Tomcat a couple of weeks
> ago, and the problem seems to have only started occurring since then.
> So it does appear to be something Apache/Tomcat-specific.
> 

One potential behavior difference might be in how the session cookies are
generated.  Tomcat sets the path of the cookie to be equal to the context
path of the web application to which this cookie belongs -- I don't know
if NES and ServletExec do that.  If they don't, you might see the same
session cookie come back in on a URL that is not really part of the same
webapp, where that would *not* happen with Tomcat.

A potential client-side issue can happen if you have two context paths
with one being the proper prefix of another (i.e. "/foo" and
"/foo/bar" both being webapps).  If a user has sessions in both, then
*two* session cookies will be included on requests received by the
/foo/bar webapp.  Tomcat relies on the client to follow the RFC rules and
list the cookie for the longer path first (since there is no other way to
distinguish the two).  You might want to put a network trace on and make
sure your clients really do that, if you have webapps like this.

> Thanks.
> 
> Milt Epstein
> Research Programmer
> Software/Systems Development Group
> Computing and Communications Services Office (CCSO)
> University of Illinois at Urbana-Champaign (UIUC)
> mepstein@uiuc.edu
> 
> 
Craig McClanahan